On Tue, Mar 3, 2009 at 8:31 AM, Naveen <webnaveen@gmail.com> wrote:
>
> When should I use multiple AttributeStatement in SAML 1.1?
Barring limitations with the implementation, this is rarely done.
> One of our customer requirements is to send each Attribute in an
> individual AttributeStatement and with the same Subject.
Why?
> I believe if
> the Subject is different then it need to be in its own
> AttributeStatement.
Multiple Subjects in a single SAML V1.1 assertions should be
identical. This is the gist of the Subject-based Profiles for SAML
V1.1 Assertions:
http://wiki.oasis-open.org/security/SamlSubjectProfiles
The reason is that there is only one Subject in a SAML V2.0 assertion,
which indicates the way it was meant to be in SAML V1.1.
> In what scenario I should use multiple AttributeStatement?
Avoid multiple <AttributeStatement> elements if possible, for the sake
of interoperability.
Tom